CVE-2026-3009

High

Published: 05 March 2026

Published

05 March 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0003 9.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3009 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Redhat Build Of Keycloak. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of flaws like the failure to enforce disabled IdP status in Keycloak's performLogin endpoint, enabling patching per RHSA-2026:3947.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved authorizations to block authentication attempts using administratively disabled IdPs via reused login requests.

IA-13 Identity Providers and Authorization Servers partial match

prevent

Ensures proper selection, monitoring, and management of identity providers to prevent bypass of administrative restrictions on disabled IdPs.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

CVE describes remote auth bypass in public-facing Keycloak endpoint allowing use of disabled IdP; directly maps to exploiting a public app (T1190) for unauthorized access/privileges (T1068) via valid external accounts (T1078).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login…

request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider.

Deeper analysisAI

CVE-2026-3009 is a security vulnerability in the IdentityBrokerService.performLogin endpoint of Keycloak. The flaw allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction, undermining access control enforcement and potentially enabling unauthorized authentication through a disabled external provider. It is associated with CWE-863 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

The vulnerability can be exploited remotely over the network with low attack complexity by an attacker possessing low privileges, such as a legitimate user account, and without requiring user interaction. By leveraging knowledge of the IdP alias and a prior login request, the attacker can circumvent the IdP disablement, achieving high-impact unauthorized access that compromises confidentiality and integrity but does not affect availability.

Red Hat Security Advisories RHSA-2026:3947 and RHSA-2026:3948 provide patches to address the issue. Further details on the vulnerability, including mitigation guidance, are available on the Red Hat CVE page at https://access.redhat.com/security/cve/CVE-2026-3009 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2441867.

Details

CWE(s): CWE-863

Affected Products

redhat

build of keycloak

26.4, 26.4.10, all versions

redhat

jboss enterprise application platform

8.0

redhat

jboss enterprise application platform expansion pack

all versions

redhat

single sign-on

7.0

CVEs Like This One

CVE-2026-3121Same product: Redhat Build Of Keycloak

CVE-2026-4282Same product: Redhat Build Of Keycloak

CVE-2025-12543Same product: Redhat Jboss Enterprise Application Platform

CVE-2026-28367Same product: Redhat Jboss Enterprise Application Platform

CVE-2026-28369Same product: Redhat Jboss Enterprise Application Platform

CVE-2026-28368Same product: Redhat Jboss Enterprise Application Platform

CVE-2026-4636Same product: Redhat Build Of Keycloak

CVE-2026-3872Same product: Redhat Build Of Keycloak

CVE-2026-3047Same product: Redhat Build Of Keycloak

CVE-2026-3260Same product: Redhat Jboss Enterprise Application Platform

References

https://access.redhat.com/errata/RHSA-2026:3947
Vendor Advisory · secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:3948
Vendor Advisory · secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2026-3009
Vendor Advisory · secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2441867
Issue Tracking, Vendor Advisory · secalert@redhat.com